[curves] Finalizing XEdDSA
Conrado P. L. Gouvêa
conradoplg at gmail.com
Wed May 22 11:13:16 PDT 2019
On Mon, Oct 31, 2016 at 7:12 PM Trevor Perrin <trevp at trevp.net> wrote:
> Thanks for feedback everyone,
> I plan to make the following tweaks, then freeze the design (at least
> for 25519):
> (2) Replace hash_i(a || ... || Z) with hash_i(a || Z || pad || ...)
> for reasons here  - mainly a bit more sidechannel resistance, and
> slightly cleaner use of the hash.
Sorry for resurrecting this, but I've been studying this issue and I'm
wondering: is there any reason why this was not incorporated into the
specification? It still uses hash_i(a || ... || Z).
In this paper https://eprint.iacr.org/2017/985.pdf it is explicitly
mentioned that XEdDSA is vulnerable for this reason.
More information about the Curves